From 9074d9859e44390ee1deec2c27cef6c9780b0c8c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 10 Dec 2016 17:08:42 +0100
Subject: [PATCH] linux: add patch to fix CVE-2016-8655
See https://lwn.net/Articles/708319/ for more information.
---
pkgs/os-specific/linux/kernel/patches.nix | 10 ++++++++-
pkgs/top-level/all-packages.nix | 26 +++++++++++++++++++----
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 3fab12b64a6..66f03edbdf2 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -149,6 +149,14 @@ rec {
url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git"
+ "/patch/drivers/lguest/x86/core.c?id=cdd77e87eae52";
sha256 = "04xlx6al10cw039av6jkby7gx64zayj8m1k9iza40sw0fydcfqhc";
+ };
+ };
+
+ packet_fix_race_condition_CVE_2016_8655 =
+ { name = "packet_fix_race_condition_CVE_2016_8655.patch";
+ patch = fetchpatch {
+ url = "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=84ac7260236a49c79eede91617700174c2c19b0c";
+ sha256 = "19viqjjgq8j8jiz5yhgmzwhqvhwv175q645qdazd1k69d25nv2ki";
+ };
};
- };
}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 1959cbe4645..07b5f4d021a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10927,6 +10927,7 @@ in
linux_mptcp = callPackage ../os-specific/linux/kernel/linux-mptcp.nix {
kernelPatches =
[ kernelPatches.bridge_stp_helper
+ kernelPatches.packet_fix_race_condition_CVE_2016_8655
]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
@@ -10936,11 +10937,18 @@ in
};
linux_rpi = callPackage ../os-specific/linux/kernel/linux-rpi.nix {
- kernelPatches = [ kernelPatches.bridge_stp_helper ];
+ kernelPatches = with kernelPatches; [
+ bridge_stp_helper
+ packet_fix_race_condition_CVE_2016_8655
+ ];
};
linux_3_10 = callPackage ../os-specific/linux/kernel/linux-3.10.nix {
- kernelPatches = with kernelPatches; [ bridge_stp_helper lguest_entry-linkage ]
+ kernelPatches = with kernelPatches;
+ [ bridge_stp_helper
+ lguest_entry-linkage
+ packet_fix_race_condition_CVE_2016_8655
+ ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
kernelPatches.mips_fpu_sigill
@@ -10949,7 +10957,11 @@ in
};
linux_3_12 = callPackage ../os-specific/linux/kernel/linux-3.12.nix {
- kernelPatches = with kernelPatches; [ bridge_stp_helper crc_regression ]
+ kernelPatches = with kernelPatches;
+ [ bridge_stp_helper
+ crc_regression
+ packet_fix_race_condition_CVE_2016_8655
+ ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
kernelPatches.mips_fpu_sigill
@@ -10958,7 +10970,10 @@ in
};
linux_3_18 = callPackage ../os-specific/linux/kernel/linux-3.18.nix {
- kernelPatches = [ kernelPatches.bridge_stp_helper ]
+ kernelPatches =
+ [ kernelPatches.bridge_stp_helper
+ kernelPatches.packet_fix_race_condition_CVE_2016_8655
+ ]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
kernelPatches.mips_fpu_sigill
@@ -10969,6 +10984,7 @@ in
linux_4_1 = callPackage ../os-specific/linux/kernel/linux-4.1.nix {
kernelPatches =
[ kernelPatches.bridge_stp_helper
+ kernelPatches.packet_fix_race_condition_CVE_2016_8655
]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
@@ -10981,6 +10997,7 @@ in
kernelPatches =
[ kernelPatches.bridge_stp_helper
kernelPatches.cpu-cgroup-v2."4.4"
+ kernelPatches.packet_fix_race_condition_CVE_2016_8655
]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu
@@ -10997,6 +11014,7 @@ in
# !!! 4.7 patch doesn't apply, 4.8 patch not up yet, will keep checking
# kernelPatches.cpu-cgroup-v2."4.7"
kernelPatches.modinst_arg_list_too_long
+ kernelPatches.packet_fix_race_condition_CVE_2016_8655
]
++ lib.optionals ((platform.kernelArch or null) == "mips")
[ kernelPatches.mips_fpureg_emu